FAQ: The SirCam worm

Here are answers to common questions regarding the SirCam worm.
Written by David Becker, Contributor
Here's answers to common questions regarding the SirCam worm.

What is SirCam?
SirCam is a malicious program with characteristics of a worm--a self-propagating piece of destructive code--and a virus, a malicious program that attaches itself to other files. It also has qualities of a "Trojan horse" in that it poses as a harmless file.

How can I tell if a message I receive is infected by SirCam?
All SirCam messages arrive with an attachment and an email subject line, but these are different for every SirCam message. That's because each time the SirCam worm infects a computer, it randomly plucks a document from that computer and sends itself out with the document attached--drawing the email subject line, and the name of the attachment itself, from the title of the pilfered document.

Each virus-carrying message contains the same text in the body of the message, however. The first and last lines are "Hi! How are you?" and "See you later. Thanks" in the English version of the message and "Hola como estas?" and "Nos vemos pronto, gracias" in the Spanish version.

How dangerous is SirCam?
The main threat posed by the worm is possible security breaches from its propagation method. By attaching randomly chosen documents to itself, the worm could share confidential information with others.

SirCam also can perform several destructive acts based on a combination of arcane PC settings and chance. If the infected PC uses the European date format (day/month/year), for example, there is a 1-in-20 chance the worm will delete all files and folders on that computer's hard drive on Oct 16.

What should I do if I receive an infected message?
Delete the message, then check to see if your PC is infected. Locating and removing the infection on your own is a relatively complex process, as detailed in a McAfee document.

The easier approach is to use the automated SirCam detection and removal tool available for free downloading from antivirus-software maker Symantec.

How can I keep SirCam messages from flooding my mailbox?
If your Internet or email service provider screens incoming messages, your mailbox should be safe, although Hotmail users have reported that the service's virus filters have failed to catch SirCam.

For those who use unfiltered services--and for unlucky Hotmail users--you're on your own. Install antivirus software on your PC, keep it updated, and set it to screen your email--at least infected messages won't be able to deliver their payload.

Most email programs also allow you to set up rules for incoming messages. Using a tool such as the Rules Wizard in Microsoft Outlook, for instance, you could set up a rule that all incoming messages with the body text "See you later. Thanks" are moved to a separate folder, where you can easily delete any suspicious entries.

What will happen to the creator of SirCam?
Probably nothing. An FBI representative said Monday that she was not aware of any SirCam-related investigation. Usually only the most destructive viral outbreaks, such as the Love Letter epidemic, generate significant law-enforcement attention.

Editorial standards